home

uninstall.exe

Cashsyst

Fedorov Paul

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application uninstall.exe by Fedorov Paul has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex installer. This is the uninstaller utility registered in the Windows Control Panel for the program Cashsyst by Kurs.ru, Inc..
Publisher:
Kurs.ru, Inc.  (signed by Fedorov Paul)

Product:
Cashsyst

Version:
1.0.0

MD5:
abdb1f866dab372aca0252545a615972

SHA-1:
d0f2b26e046906925b1b0ab94b32cc59b140a71e

SHA-256:
2b20f8500f1ce797c80077fc9772fc37c7019e7fb4287c5c1d98bb09513faf20

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/25/2024 6:27:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Webpick.FedorovP.Bundler (M)
16.3.24.0

File size:
461.6 KB (472,672 bytes)

Product version:
1.0.0

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\Program Files\cashsyst\uninstall.exe

Digital Signature
Signed by:
Fedorov Paul

Authority:
Thawte, Inc.

Valid from:
9/30/2013 4:00:00 AM

Valid to:
10/17/2014 3:59:59 AM

Subject:
CN=Fedorov Paul, OU=Individual Developer, O=No Organization Affiliation, L=Saint-Petersburg, S=Saint-Petersburg, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4775A986F383176992FD70C1405B2DEA

File PE Metadata
Compilation timestamp:
2/19/2012 6:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
12288:NtoblE8zqovTf4PEQvUeQbqGQxqWMC7m5Dl3zn5ir+:NtEEPmf4PZvUeuZpWp7mxl3zn5ir+

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Program Uninstaller
Program name:
Cashsyst

Display publisher:
Kurs.ru, Inc.

Display version:
1.0.0

Uninstall string:
C:\Program Files (x86)\Cashsyst\uninstall.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove uninstall.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.